Guest John Checco, author of Zero Trust: From Aspirational to Overdue and resident CISO at Proofpoint, talks about 'The Misfits of Zero Trust'. He discusses investigating the Zero Trust model, '2nd and 3rd world affectations', highest priorities, and the future of Zero Trust in the industry.
Implementing zero trust requires addressing tech debt, patching, and exceptions to enhance overall security.
Third-party risk management is crucial in zero trust implementation to ensure vendors follow security protocols and standards.
Deep dives
Reducing Tech Debt, Patching, and Exceptions
One of the main focuses of implementing zero trust is to reduce tech debt, patching, and exceptions. These three areas pose significant security risks and vulnerabilities. By addressing them, organizations can ensure that their security infrastructure is robust and up-to-date. Tech debt, in particular, can be a major hole in the infrastructure, rendering even the best security policies and controls ineffective. Implementing zero trust requires a thorough evaluation and updates of these areas to enhance overall security.
Third Party Contracts and Risk Management
Third-party risk management is a critical aspect of zero trust implementation. Organizations must establish clear guidelines and expectations in contracts with third-party vendors. By incorporating specific clauses and riders, organizations can ensure that vendors follow security protocols and standards. This includes the right to audit their systems and be notified of any potential impacts to customer data. Utilizing riders and SOWs (Statement of Work) allows for more flexibility in negotiating these terms without having to modify the master services agreement.
Evaluating AI, Automation, and Machine Learning
The integration of AI, automation, and machine learning presents unique challenges in a zero trust environment. One major concern is the indiscriminate access to data by anyone within the organization, regardless of their role. Organizations must implement guidance and protocols to restrict access to sensitive data and ensure that only authorized individuals can retrieve or analyze it. Additionally, the inherent risks associated with AI and automation, such as the use of service accounts with high privileges and lack of monitoring, must be addressed to prevent security breaches. Solutions are being explored, such as the work being done by Sunil Yu, to establish guardrails and mitigate the security risks associated with AI and automation.
The Future of Zero Trust
Zero trust is not merely a buzzword, but a fundamental shift in security mindset and practices. As organizations recognize the importance of asset-based security controls, zero trust will continue to gain traction and become an integral part of their security frameworks. However, it is crucial to bridge the gap between the conceptual idea of zero trust and its practical implementation. This involves communicating specific goals and requirements to operations teams, rather than using the term 'zero trust' itself. Threat modeling on business processes will also play a vital role in enhancing zero trust practices. The future of zero trust lies in the continual education and awareness of its principles, coupled with focused implementation strategies.
Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest this week is John Checco, aka "Checco", who is overdue for being on the show we freely admit! John is a presence on LinkedIn and in our industry. He’s the author of “Zero Trust: From Aspirational to Overdue”. He’s also involved, as you can imagine, in many other things – various advisory roles, ISSA roles, Infraguard roles… He’s been resident CISO at Proofpoint, for example. He’s also a fire instructor! But we asked John to the show specifically to talk about what he calls “The Misfits of Zero Trust”. John, thank you so much for coming on down to the ‘Ranch!
Questions Allan asks John:
Without revealing any secrets, what was your experience investigating the Zero Trust model for such a large organization?
What are the misfits of Zero Trust?
What’s are some examples of what you have dubbed as “2nd world affectations”?
What’s are some examples of what you call “3rd world affectations”?
Where do we go from here?
Where would you suggest highest priorities?
Is Zero Trust here to stay?
What comes next?
Thank you, listeners, for dropping by the 'Ranch! Y'all be good now!
Remember Everything You Learn from Podcasts
Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.
